Bug#589767: clamav: clamscan gives opposite results on mbox file vs. maildir file
tags 589767 + upstream forwarded 589767 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2253 thanks Michael writes: [...] I guess you could zip the file, make the archive password protected and send the password along :-) That way anybody could get a chance to read it. If you prefer the gpg variant, my public key is attached. I found alternate ways to do my work. Anyway, attached is a gpg symmetric encrypted file that I referred to in earlier messages. The password is debian. It seems that whatever mailserver software you might be using, it adds some X-* headers at the very beginning of the email message. Consequently clamav fails to detect this as a Maildir file and treats it as ASCII text instead. It then fails to conclude that it is a phishing message. I've asked upstream to improve their detection capabilities. Thanks a lot for reporting this and providing all the necessary debugging information! Best, Michael pgp2nGGffCziB.pgp Description: PGP signature
Bug#589767: clamav: clamscan gives opposite results on mbox file vs. maildir file
On 09/08/2010 06:45 AM, Michael Tautschnig wrote: tags 589767 + upstream forwarded 589767 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2253 thanks Michael writes: [...] I guess you could zip the file, make the archive password protected and send the password along :-) That way anybody could get a chance to read it. If you prefer the gpg variant, my public key is attached. I found alternate ways to do my work. Anyway, attached is a gpg symmetric encrypted file that I referred to in earlier messages. The password is debian. It seems that whatever mailserver software you might be using, it adds some X-* headers at the very beginning of the email message. Consequently clamav fails to detect this as a Maildir file and treats it as ASCII text instead. It then fails to conclude that it is a phishing message. I've asked upstream to improve their detection capabilities. Postfix. Thanks a lot for reporting this and providing all the necessary debugging information! And thank you for all of the work that you do for Debian. I wish that I had more time to help out. I miss out on a lot of the code work in my present job incarnation. I start to get into it when immediately I'm pulled in another direction. -jeff -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#589767: clamav: clamscan gives opposite results on mbox file vs. maildir file
Michael writes: [...] I guess you could zip the file, make the archive password protected and send the password along :-) That way anybody could get a chance to read it. If you prefer the gpg variant, my public key is attached. I found alternate ways to do my work. Anyway, attached is a gpg symmetric encrypted file that I referred to in earlier messages. The password is debian. -jeff Inbox-infectmsg1.gpg Description: Binary data
Bug#589767: clamav: clamscan gives opposite results on mbox file vs. maildir file
[...] I had isolated the message that caused the behavior and was trying to send it along as an attachment. The debian mail server kept kicking it back to me. If you have a public key to encrypt the message, then I could send it to the BTS and would imagine that the server would accept it then. Or if you know of another, possibly a more standard, way of passing the message to you, then we could do that. I guess you could zip the file, make the archive password protected and send the password along :-) That way anybody could get a chance to read it. If you prefer the gpg variant, my public key is attached. Best, Michael -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.4.10 (Darwin) mQGiBD7dA9URBADUNq9emgf1ISRwkoXOtq17etDn4uIs+XeMqkHvUyt0XZADR/me f2JtgZuG2Mpcrg463818xIU6P6pRpyfgaijsWWVP97HxTtnAYDBOUigTU5DfTuKP tLBnvVLP6w6PLpkMnNC8+xv5eK5vVh+PPy+kdOhPZULilweeM3fSLnoaKwCg/FyU gMjN7Pi28EA+0XqxcrSnUZsEAJ/JVOeA6d49Dywbm4Vi0QLZhqQzFxUKbIbCZDUs ZQH6I+x4+UdakZU5dY8MHszEpG2j3KsNhFYTJDdJwEQSoeXZ/o63b3il1vTVzsuM oRWWB765J2ajyINthpXKWgxZMRnlTXu7DGxSA0VY5k9MOeGVG4ymQ87mFnXlMWTn /Jc2BACws/nxk5APkxrmbSeEuJpi5e02jpfYVDRbsKM6b5Rin0kYzk4mvDSnUO2y 22ZNPLZ+gRXm8dRpMj0mG6QNxPBLM6PNnGoS0weOy2DFEJXDI+RYmhEqmT57YJ26 5dfL/ItUAUmaW+KVFYWSEaIz3uZNVhqBVmhqAz6Rc+9vsGt+C7Q0TWljaGFlbCBU YXV0c2NobmlnIDx0YXV0c2NobmlnQGZvcnN5dGUudHV3aWVuLmFjLmF0PohnBBMR CAAnBQJLR3j6AhsjBQkSzAMABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEL8e nR921SrE9AAAnRXfoUIj3C+zFE7Jkcig7wG/pHjSAJ0a1e0DHhM0pDvMV3rDLq5I lizD27Q6TWljaGFlbCBUYXV0c2NobmlnIDx0YXV0c2NobmlnQGZvcnN5dGUuY3Mu dHUtZGFybXN0YWR0LmRlPohnBBMRAgAnAhsjBQkSzAMAAh4BAheABQJKJY0xBQsJ CAcDBRUKCQgLBRYCAwEAAAoJEL8enR921SrEtcoAnihglBUXKO7OMFgb7D1C6GKh utpDAJ9gHJNb77r5Mo7EmX6B/7XD62RvdrQqTWljaGFlbCBUYXV0c2NobmlnIDx0 YXV0c2NobmlnQGZvcnN5dGUuZGU+iGcEExECACcCGyMFCRLMAwACHgECF4AFAkol jTEFCwkIBwMFFQoJCAsFFgIDAQAACgkQvx6dH3bVKsTwCgCdETvSoSygupIMHhXI cwvSeqLFrdEAn0atd2EJLl7ss5rwQdsNHKQI/dgvtCJNaWNoYWVsIFRhdXRzY2hu aWcgPG10QGRlYmlhbi5vcmc+iGcEExECACcCGyMFCRLMAwACHgECF4AFAkoljTEF CwkIBwMFFQoJCAsFFgIDAQAACgkQvx6dH3bVKsQ3QwCeJgyC8JsFEPibeIpwnLwi cslMsUwAoMbmbASJQv6SZs+jtClDvFH9iJd9tDlNaWNoYWVsIFRhdXRzY2huaWcg PG1pY2hhZWwudGF1dHNjaG5pZ0B6dC1jb25zdWx0aW5nLmNvbT6IZAQTEQIAJAUJ EswDAAIXgAUCSiWNMQULCQgHAwUVCgkICwUWAgMBAAIeAQAKCRC/Hp0fdtUqxBAT AKC6pFwVaGqyTStXHw3X31j9foAXggCgk9drrqNeY9EuBIsXSGcAYrpfSTOITAQS EQIADAUCQEXYngWDEWMuNwAKCRDLMJo+ezciXv7FAJ9ct1BstuJQo0ld7EaEqEg0 UPXFbQCeOR/3OJMy4rUX0zWqVWY2x0Ky3ZKIRgQSEQIABgUCQk3GjQAKCRA7NcYk ckuZApEDAKDFPH2xdqyCRpQMYobQ79nn9VLkIACfeyRtAsn32Go3OmpWg6417XOz nmSIRgQTEQIABgUCQk3VIgAKCRBQctA2rFg1IGT8AJ41/0ay9b/W1bEpzGl5B1qL un2JzQCeLaMoLFXc7v9ULqo9CFIF8Hjm3W2IRgQSEQIABgUCRDE5ygAKCRAA8K1u 7cpT9yp/AJ9juTDnnQBoe5dDlGUvNkTQDQq41wCfclMAziLYpO9ORnOme7/7ERFG zDaIRgQQEQIABgUCRaYWrQAKCRCYdolhntEBvzbSAJ402MVR47U+lAOYBXC9emW0 yI0szQCeOnJE0OO++26CJ9248XSjXx/OE4e0LU1pY2hhZWwgVGF1dHNjaG5pZyA8 dGF1dHNjaG5AbW9kZWwuaW4udHVtLmRlPohnBBMRAgAnAhsjBQkSzAMAAh4BAheA BQJKJY0xBQsJCAcDBRUKCQgLBRYCAwEAAAoJEL8enR921SrEvCMAoOhhNTEDR3ti NO6JE32E3xDhFhdtAKCtvcDelHhEY7oCf4GNppKH4fMNsYhGBBIRAgAGBQJEMTnK AAoJEADwrW7tylP3FTwAoKIPUe+BxzWvnbs0UfmghjJJGYElAJ9+NjdwUcd4ZS2f TT23hINDDEIVU4hGBBARAgAGBQJFphatAAoJEJh2iWGe0QG/toAAn2uiM1dUWH9h a9ut2TWiWHOdVB0iAJ0bWabcfXFYlGUxcYd5XAxb48W71rQqTWljaGFlbCBUYXV0 c2NobmlnIDx0YXV0c2NobmlnQGZvcnN5dGUuYXQ+iGcEExEIACcFAktHeEICGyMF CRLMAwAFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQvx6dH3bVKsTBTwCfTPYz +JovbhshrlcluXu9+R6Uy8QAn1YpiH7VM0T9OymT++cGH8rGbbrStDZNaWNoYWVs IFRhdXRzY2huaWcgPG1pY2hhZWwudGF1dHNjaG5pZ0Bnb29nbGVtYWlsLmNvbT6I ZwQTEQgAJwUCS0d4gQIbIwUJEswDAAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAK CRC/Hp0fdtUqxOZtAKC3H1CNYgpi167NroHbnk1bofJSjACgjHNWjKcMQoNj4cse UWOJ28JasBC0MU1pY2hhZWwgVGF1dHNjaG5pZyA8bWljaGFlbC50YXV0c2Nobmln QGdtYWlsLmNvbT6IZwQTEQgAJwUCS0eDAgIbIwUJEswDAAULCQgHAwUVCgkICwUW AgMBAAIeAQIXgAAKCRC/Hp0fdtUqxGCfAJ9G03JMKFFhHaUbDER0t05USSDRFACf dv2FBo/sbHHjqTOmJ4DXrPVySwK5AQ0EPt0D3hAEAIMRZ0AYDbFbSBbPNPH18XEA i7+ZxxS0jakg4GYD6SmSImfm/UgGkK9AqXbEop3iq8mXmDhbUR5ojBD4nkvrv5q4 nAa0RPjg/zEcTDmbL2rc1sJ/hIko8K8Lo5irTHWVmhFFWEvDfRvqSEcRLo0ibdwC MSdW0vJk/gC1lKXrY66PAAMFA/43gRFuTr2ctlT0PPr7XJ2JC0Nzq081+FEf/VFp YQXOE+C3roeqELVwikoEj3K4+YLB8BuJHWB7ipLG1ZyI2A4ZS0WBroO+zBZ56UPx SZwE68atdQ0xSbMw4gp5jhQCCi0egQ67l1eyX5qAmDTP4btUzmUBpdrsb80Nf7k8 wwOEM4hMBBgRAgAMBQI+3QPeBQkSzAMAAAoJEL8enR921SrEQlQAn2E0eTtl/djY DB4LKycQqI2kglz7AJ4m6hLSdhyUFb+hoygeZiZaN851PbkCCwRAxbGIARAA3mqy 3Yk9bp9GzzQeTsQWr+zOtOTkTq6koH22trP1S/jtABKj+6bw+379fkVQcLHGohhS 1FTjJttpmboJiOl0A+Dn+1x+Co8w3pNJqqtwfxGJHxVV+bBmQQyRySkJF6o+BqKx ik3yaUgQYS7Mg+HcHLZWIqP1GPks8Ei86OxR/RAvsK+f7gqrbld96iXsM7FzXQcV 9yqvTXLoAqSQ8QbXB6qALRWhHQPxQvocJD3yQ7hIxPhLxYhAt+LASzZ0htIuXwTW 6uRGw6cS9lKkHdYzurFCM+bOtMAQaWo4a3vlZL//QMfxUJ8dDGrqvsc83MheilIG 3L2+7Og0r33zH9CQ1WiK1JOLBiI+FtM00X23w0FskSbXzpq0RB5Pcc7S7jrH7CNR PMxkvhilfvn49ZL1lRw/C4D03mLGIFQc/XNDHn5Dy/mnvGhFAj/xH55AWrBBW8CV e7ES16SCe+0+9hWf3pD2WIBjudVhSAMCZqIPGzkKuxoX7YR1TCOB8VN1uFRbMhz9 LVZ366qgtpKiuUROyRRqQcdDrWKDDtzyL7QSReJm787CYTptilPzUPlO3QGxu2rY
Bug#589767: clamav: clamscan gives opposite results on mbox file vs. maildir file
Hi Jeff, The problem seems to be associated with the initial From line. If it is there, then clamscan gives the alert. If it is missing, then it does not. Usually, clamscan works the same in either situation (at least with mbox2maildir which I have been using up until trying mb2md). The attached file seems to be special somehow. [...] I'm somewhat unclear whether you are speaking of the attachment-part of your file or whether you had intended to attach some file to your bugreport. Indeed such an example would be very useful for debugging this issue. Could you maybe come up with a file where you remove all the private contents? Thanks a lot, Michael pgpTOPIPwy7Po.pgp Description: PGP signature
Bug#589767: clamav: clamscan gives opposite results on mbox file vs. maildir file
Michael writes: Hi Jeff, The problem seems to be associated with the initial From line. If it is there, then clamscan gives the alert. If it is missing, then it does not. Usually, clamscan works the same in either situation (at least with mbox2maildir which I have been using up until trying mb2md). The attached file seems to be special somehow. [...] I'm somewhat unclear whether you are speaking of the attachment-part of your file or whether you had intended to attach some file to your bugreport. Indeed such an example would be very useful for debugging this issue. Could you maybe come up with a file where you remove all the private contents? I had isolated the message that caused the behavior and was trying to send it along as an attachment. The debian mail server kept kicking it back to me. If you have a public key to encrypt the message, then I could send it to the BTS and would imagine that the server would accept it then. Or if you know of another, possibly a more standard, way of passing the message to you, then we could do that. -jeff -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#589767: clamav: clamscan gives opposite results on mbox file vs. maildir file
Package: clamav Version: 0.96.1+dfsg-1~volatile1 Severity: normal Clamscan gives an alert on a mbox file with message provided as an attachment (nix that, everytime I send it whether tar'ed and compressed or whatever the debian mail server rejects it since it has malware.) However when the mbox is broken out into individual message files via mb2md or mbox2maildir, then clamscan no longer gives the alert. The problem seems to be associated with the initial From line. If it is there, then clamscan gives the alert. If it is missing, then it does not. Usually, clamscan works the same in either situation (at least with mbox2maildir which I have been using up until trying mb2md). The attached file seems to be special somehow. -- Package-specific info: --- configuration --- Checking configuration files in /etc/clamav Config file: clamd.conf --- LogFile = /var/log/clamav/clamav.log LogFileUnlock disabled LogFileMaxSize disabled LogTime = yes LogClean disabled LogSyslog disabled LogFacility = LOG_LOCAL6 LogVerbose disabled PidFile = /var/run/clamav/clamd.pid TemporaryDirectory = /tmp DatabaseDirectory = /var/lib/clamav OfficialDatabaseOnly disabled LocalSocket = /var/run/clamav/clamd.ctl LocalSocketGroup = clamav LocalSocketMode = 666 FixStaleSocket = yes TCPSocket disabled TCPAddr disabled MaxConnectionQueueLength = 15 StreamMaxLength = 10485760 StreamMinPort = 1024 StreamMaxPort = 2048 MaxThreads = 12 ReadTimeout = 180 CommandReadTimeout = 5 SendBufTimeout = 200 MaxQueue = 100 IdleTimeout = 30 ExcludePath disabled MaxDirectoryRecursion = 15 FollowDirectorySymlinks disabled FollowFileSymlinks disabled CrossFilesystems = yes SelfCheck = 3600 VirusEvent disabled ExitOnOOM disabled Foreground disabled Debug disabled LeaveTemporaryFiles disabled User = clamav AllowSupplementaryGroups = yes Bytecode = yes BytecodeSecurity = TrustSigned BytecodeTimeout = 6 DetectPUA disabled ExcludePUA disabled IncludePUA disabled AlgorithmicDetection = yes ScanPE = yes ScanELF = yes DetectBrokenExecutables disabled ScanMail = yes ScanPartialMessages disabled PhishingSignatures disabled PhishingScanURLs = yes PhishingAlwaysBlockCloak disabled PhishingAlwaysBlockSSLMismatch disabled HeuristicScanPrecedence disabled StructuredDataDetection disabled StructuredMinCreditCardCount = 3 StructuredMinSSNCount = 3 StructuredSSNFormatNormal = yes StructuredSSNFormatStripped disabled ScanHTML = yes ScanOLE2 = yes ScanPDF = yes ScanArchive = yes ArchiveBlockEncrypted disabled MaxScanSize = 104857600 MaxFileSize = 26214400 MaxRecursion = 16 MaxFiles = 1 ClamukoScanOnAccess disabled ClamukoScannerCount = 3 ClamukoScanOnOpen disabled ClamukoScanOnClose disabled ClamukoScanOnExec disabled ClamukoIncludePath disabled ClamukoExcludePath disabled ClamukoMaxFileSize = 5242880 DevACOnly disabled DevACDepth disabled Config file: freshclam.conf --- LogFileMaxSize disabled LogTime disabled LogSyslog disabled LogFacility = LOG_LOCAL6 LogVerbose disabled PidFile = /var/run/clamav/freshclam.pid DatabaseDirectory = /var/lib/clamav/ Foreground disabled Debug disabled AllowSupplementaryGroups disabled UpdateLogFile = /var/log/clamav/freshclam.log DatabaseOwner = clamav Checks = 4 DNSDatabaseInfo = current.cvd.clamav.net DatabaseMirror = db.local.clamav.net, database.clamav.net, clamav.catt.com, db.us.clamav.net MaxAttempts = 5 ScriptedUpdates = yes TestDatabases = yes CompressLocalDatabase disabled ExtraDatabase disabled HTTPProxyServer disabled HTTPProxyPort disabled HTTPProxyUsername disabled HTTPProxyPassword disabled HTTPUserAgent disabled NotifyClamd = /etc/clamav/clamd.conf OnUpdateExecute disabled OnErrorExecute disabled OnOutdatedExecute disabled LocalIPAddress disabled ConnectTimeout = 30 ReceiveTimeout = 30 SubmitDetectionStats disabled DetectionStatsCountry disabled DetectionStatsHostID disabled SafeBrowsing disabled Bytecode = yes clamav-milter.conf not found Software settings - Version: 0.96.1 Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 JIT Database directory: /var/lib/clamav/ WARNING: freshclam.conf and clamd.conf point to different database directories main.cld: version 52, sigs: 704727, built on Mon Feb 15 09:54:51 2010 daily.cld: version 11397, sigs: 103036, built on Tue Jul 20 06:11:17 2010 bytecode.cld: version 31, sigs: 7, built on Thu Jul 8 12:46:51 2010 Platform information uname: Linux 2.6.26-2-686 #1 SMP Mon Jun 21 05:58:44 UTC 2010 i686 OS: linux-gnu, ARCH: i386, CPU: i486 zlib version: 1.2.3.3 (1.2.3.3), compile flags: 55 Build information - GNU C: 4.3.2 (4.3.2) GNU C++: 4.3.2 (4.3.2) CPPFLAGS: CFLAGS: -Wall -g -O2 CXXFLAGS: -Wall -g -O2 LDFLAGS: Configure: '--build=i486-linux-gnu' '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-clamav' '--with-dbdir=/var/lib/clamav/' '--sysconfdir=/etc/clamav' '--enable-milter' '--disable-clamuko' '--with-gnu-ld'